CWE-444
AllowedInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Abstraction: Base · Status: Incomplete
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
551 vulnerabilities reference this CWE, most recent first.
GHSA-6QGJ-9JQG-72W5
Vulnerability from github – Published: 2022-01-12 00:01 – Updated: 2023-06-26 21:30A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition. This vulnerability is due to improper input validation when parsing HTTPS requests. An attacker could exploit this vulnerability by sending a malicious HTTPS request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2021-1573"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-444",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-11T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition. This vulnerability is due to improper input validation when parsing HTTPS requests. An attacker could exploit this vulnerability by sending a malicious HTTPS request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.",
"id": "GHSA-6qgj-9jqg-72w5",
"modified": "2023-06-26T21:30:54Z",
"published": "2022-01-12T00:01:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1573"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6VCF-CFJP-QXCW
Vulnerability from github – Published: 2023-05-12 12:30 – Updated: 2025-01-27 18:33LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "lavalite/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27238"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-12T15:21:06Z",
"nvd_published_at": "2023-05-12T11:15:12Z",
"severity": "CRITICAL"
},
"details": "LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.",
"id": "GHSA-6vcf-cfjp-qxcw",
"modified": "2025-01-27T18:33:40Z",
"published": "2023-05-12T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27238"
},
{
"type": "PACKAGE",
"url": "https://github.com/LavaLite/cms"
},
{
"type": "WEB",
"url": "https://github.com/LavaLite/cms/blob/c0a36dd748c8f7ff53eb16eb572bdeebe72eb420/app/Http/Controllers/ResourceController.php#L8"
},
{
"type": "WEB",
"url": "https://github.com/M19O/Security-Advisories/tree/main/CVE-2023-27238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "LavaLite vulnerable to web cache poisoning "
}
GHSA-6X9X-8QW9-9PP6
Vulnerability from github – Published: 2018-10-19 16:16 – Updated: 2022-09-14 01:09Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decides on the shorter length, but still passes on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary is imposing authorization, the fake pipelined request bypasses that authorization.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.25.v20180606"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.24.v20180605"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.4.0"
},
{
"fixed": "9.4.11.v20180605"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-7658"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:20:39Z",
"nvd_published_at": "2018-06-26T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decides on the shorter length, but still passes on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary is imposing authorization, the fake pipelined request bypasses that authorization.",
"id": "GHSA-6x9x-8qw9-9pp6",
"modified": "2022-09-14T01:09:24Z",
"published": "2018-10-19T16:16:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7658"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-6x9x-8qw9-9pp6"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20181014-0001"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4278"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106566"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)"
}
GHSA-73H3-W2HP-Q47Q
Vulnerability from github – Published: 2023-07-06 06:30 – Updated: 2024-04-04 05:25All versions of the package drogonframework/drogon are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values in the addHeader and addCookie functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.
{
"affected": [],
"aliases": [
"CVE-2023-26137"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T05:15:09Z",
"severity": "MODERATE"
},
"details": "All versions of the package drogonframework/drogon are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values in the addHeader and addCookie functions. An attacker can add the \\r\\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.",
"id": "GHSA-73h3-w2hp-q47q",
"modified": "2024-04-04T05:25:56Z",
"published": "2023-07-06T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26137"
},
{
"type": "WEB",
"url": "https://gist.github.com/dellalibera/666d67165830ded052a1ede2d2c0b02a"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665554"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-753J-MPMX-QQ6G
Vulnerability from github – Published: 2024-06-06 21:41 – Updated: 2024-06-06 21:41Summary
When Tornado receives a request with two Transfer-Encoding: chunked headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. Pound does this.
PoC
- Install Tornado.
- Start a simple Tornado server that echoes each received request's body:
cat << EOF > server.py
import asyncio
import tornado
class MainHandler(tornado.web.RequestHandler):
def post(self):
self.write(self.request.body)
async def main():
tornado.web.Application([(r"/", MainHandler)]).listen(8000)
await asyncio.Event().wait()
asyncio.run(main())
EOF
python3 server.py &
- Send a valid chunked request:
printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000
- Observe that the response is as expected:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:32:05 GMT
Content-Length: 1
Z
- Send a request with two
Transfer-Encoding: chunkedheaders:
printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000
- Observe the strange response:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:35:40 GMT
Content-Length: 0
HTTP/1.1 400 Bad Request
This is because Tornado believes that the request has no message body, so it tries to interpret 1\r\nZ\r\n0\r\n\r\n as its own request, which causes a 400 response. With a little cleverness involving chunk-exts, you can get Tornado to instead respond 405, which has the potential to desynchronize the connection, as opposed to 400 which should always result in a connection closure.
Impact
Anyone using Tornado behind a proxy that forwards requests containing multiple Transfer-Encoding: chunked headers is vulnerable to request smuggling, which may entail ACL bypass, cache poisoning, or connection desynchronization.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.0"
},
"package": {
"ecosystem": "PyPI",
"name": "tornado"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-06T21:41:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nWhen Tornado receives a request with two `Transfer-Encoding: chunked` headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. [Pound](https://en.wikipedia.org/wiki/Pound_(networking)) does this.\n\n### PoC\n0. Install Tornado.\n1. Start a simple Tornado server that echoes each received request\u0027s body:\n```bash\ncat \u003c\u003c EOF \u003e server.py\nimport asyncio\nimport tornado\n\nclass MainHandler(tornado.web.RequestHandler):\n def post(self):\n self.write(self.request.body)\n\nasync def main():\n tornado.web.Application([(r\"/\", MainHandler)]).listen(8000)\n await asyncio.Event().wait()\n\nasyncio.run(main())\nEOF\npython3 server.py \u0026\n```\n2. Send a valid chunked request:\n```bash\nprintf \u0027POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nZ\\r\\n0\\r\\n\\r\\n\u0027 | nc localhost 8000\n```\n3. Observe that the response is as expected:\n```\nHTTP/1.1 200 OK\nServer: TornadoServer/6.3.3\nContent-Type: text/html; charset=UTF-8\nDate: Sat, 07 Oct 2023 17:32:05 GMT\nContent-Length: 1\n\nZ\n```\n4. Send a request with two `Transfer-Encoding: chunked` headers:\n```\nprintf \u0027POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nZ\\r\\n0\\r\\n\\r\\n\u0027 | nc localhost 8000\n```\n5. Observe the strange response:\n```\nHTTP/1.1 200 OK\nServer: TornadoServer/6.3.3\nContent-Type: text/html; charset=UTF-8\nDate: Sat, 07 Oct 2023 17:35:40 GMT\nContent-Length: 0\n\nHTTP/1.1 400 Bad Request\n\n```\nThis is because Tornado believes that the request has no message body, so it tries to interpret `1\\r\\nZ\\r\\n0\\r\\n\\r\\n` as its own request, which causes a 400 response. With a little cleverness involving `chunk-ext`s, you can get Tornado to instead respond 405, which has the potential to desynchronize the connection, as opposed to 400 which should always result in a connection closure.\n\n### Impact\nAnyone using Tornado behind a proxy that forwards requests containing multiple `Transfer-Encoding: chunked` headers is vulnerable to request smuggling, which may entail ACL bypass, cache poisoning, or connection desynchronization.\n",
"id": "GHSA-753j-mpmx-qq6g",
"modified": "2024-06-06T21:41:20Z",
"published": "2024-06-06T21:41:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g"
},
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572"
},
{
"type": "PACKAGE",
"url": "https://github.com/tornadoweb/tornado"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) in tornado"
}
GHSA-767J-JFH2-JVRC
Vulnerability from github – Published: 2020-02-28 01:10 – Updated: 2022-09-08 14:06The refactoring present in Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.98"
},
{
"fixed": "7.0.100"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.48"
},
{
"fixed": "8.5.51"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.28"
},
{
"fixed": "9.0.31"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.98"
},
{
"fixed": "7.0.100"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.48"
},
{
"fixed": "8.5.51"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.28"
},
{
"fixed": "9.0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-17569"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2020-02-25T16:19:11Z",
"nvd_published_at": "2020-02-24T22:15:00Z",
"severity": "MODERATE"
},
"details": "The refactoring present in Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.",
"id": "GHSA-767j-jfh2-jvrc",
"modified": "2022-09-08T14:06:08Z",
"published": "2020-02-28T01:10:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17569"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200327-0005"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4673"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4680"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Potential HTTP request smuggling in Apache Tomcat"
}
GHSA-77R5-GW3J-2MPF
Vulnerability from github – Published: 2024-05-09 21:07 – Updated: 2024-07-09 18:28Impact
Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.
For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.
Patches
The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.
Workarounds
There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.
References
https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "13.4.0"
},
{
"fixed": "13.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34350"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-09T21:07:00Z",
"nvd_published_at": "2024-05-14T15:38:41Z",
"severity": "HIGH"
},
"details": "### Impact\nInconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.\n\nFor a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js.\n\n### Patches\nThe vulnerability is resolved in Next.js `13.5.1` and newer. This includes Next.js `14.x`.\n\n### Workarounds\nThere are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.\n\n### References\nhttps://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning",
"id": "GHSA-77r5-gw3j-2mpf",
"modified": "2024-07-09T18:28:18Z",
"published": "2024-05-09T21:07:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34350"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/next.js"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Next.js Vulnerable to HTTP Request Smuggling"
}
GHSA-78V6-G7VR-73HG
Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2023-12-12 03:31SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application.
{
"affected": [],
"aliases": [
"CVE-2023-49584"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T02:15:08Z",
"severity": "MODERATE"
},
"details": "SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application.\n\n",
"id": "GHSA-78v6-g7vr-73hg",
"modified": "2023-12-12T03:31:45Z",
"published": "2023-12-12T03:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49584"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3406786"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-79WQ-6WVX-6VR7
Vulnerability from github – Published: 2023-01-20 09:30 – Updated: 2023-02-01 18:30Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS.
{
"affected": [],
"aliases": [
"CVE-2023-23691"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T08:15:00Z",
"severity": "HIGH"
},
"details": "Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim\u0027s browser to desynchronize its connection with the website, typically leading to XSS and DoS.",
"id": "GHSA-79wq-6wvx-6vr7",
"modified": "2023-02-01T18:30:30Z",
"published": "2023-01-20T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23691"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000207533/dsa-2023-018-dell-emc-powervault-me5-security-update-for-a-client-desync-attack-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7HXV-XG9W-4XG7
Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-05-12 15:31An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header
{
"affected": [],
"aliases": [
"CVE-2025-55018"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T16:16:08Z",
"severity": "MODERATE"
},
"details": "An inconsistent interpretation of http requests (\u0027http request smuggling\u0027) vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header",
"id": "GHSA-7hxv-xg9w-4xg7",
"modified": "2026-05-12T15:31:14Z",
"published": "2026-02-10T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55018"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-975644.html"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-667"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Mitigation
Use only SSL communication.
Mitigation
Terminate the client session after each request.
Mitigation
Turn all pages to non-cacheable.
CAPEC-273: HTTP Response Smuggling
An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).
See CanPrecede relationships for possible consequences.
CAPEC-33: HTTP Request Smuggling
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.